Senate Amends and Passes HR 3359 – DHS Reorganization

Yesterday the Senate amended and passed HR 3359, the ‘Cybersecurity and Infrastructure Security Agency Act of 2018. The bill creates the Cybersecurity and Infrastructure Security Agency within DHS. The bill was passed earlier this year in the House. Two amendments were made; the first (SA 4403, pg S6497) substitute language from Sen. Johnson (R,WI) and the second a minor amendment (SA 4404, pg S6502) from Sen. Murkowski (D,MO). Both amendments and the bill were adopted without debate or vote. The bill will now have to be reconsidered by the House.

Substitute Language

Most of the additions made by the Johnson amendment added references to ‘Sector-Specific Agency’. This included a new definition of that term added in the new §2201.

The language regarding the transfer of the DHS Federal Protective Service {§3(b)} was greatly expanded. The original bill provided that DHS could transfer the FPS to the new CISA. The substitute language approved yesterday expands on that by providing instructions on what needs to occur if DHS declines to make that move. This would include specific notifications to Congress and the involvement of the OMB in subsequent evaluation of what to do with the FPS.

A new §4 of the bill was added that requires a report to Congress by DHS on the “leadership role of the Department in cloud-based cybersecurity deployments for civilian Federal departments and agencies” {§4(b)}.

There were a number of wording deletions made by the substitute language. These include the rather inconsequential deleting of the definitions of the terms ‘federal entity’ and ‘non-federal entity’.

One potentially significant deletion in the new §2202 is made in paragraph (e)(1) where the responsibilities of the new CISA Director are enumerated. Sub-paragraph (M) was deleted. That originally read:

“To ensure, in conjunction with the chief information officer of the Department, that any information databases and analytical tools developed or utilized by the Department—

“(i) are compatible with one another and with relevant information databases of other Federal Government agencies; and

“(ii) treat information in such databases in a manner that complies with applicable Federal law on privacy.”

Finally a change was made to the wording in the bill dealing with the Chemical Facility Anti-Terrorism Standards (CFATS) program. In explicating the responsibilities of the new Assistant Director for the new Infrastructure Security Division we see both an addition and deletion made to the wording of the original bill. The quote below shows both the addition (underlined) and the deletion (struck-through) made to §2204(b)(2).

“(2) carry out efforts, at the direction of the Director, to secure the United States high-risk chemicals and chemical facilities consistent with law, including the Chemical Facilities Anti-Terrorism Standards Program established under title XXI and the secure handling of ammonium nitrate program established under subtitle J of title VIII, or any successor programs;”

Commentary

I continue to believe that this change to the status of the current National Protection and Programs Directorate is mainly a smoke and mirrors change. I have had a number of people with closer connection to the operation of DHS inform me that this has to do mainly with the status of the new Director and the authority of the new agency to deal with administrative and spending matters; none of which is directly addressed in the language of the bill.

The change in wording of §2204(b)(2) has me a little bit concerned. Neither the addition or deletion has any direct affect on the CFATS program. The added ‘any successor’ language is typically a legal distinction addressing the fact that Congress could change the name of the program at any time. Similarly, the deleted words have no apparent practical effect on the inclusion of the CFATS program in the new Infrastructure Security Division. But, there is a nagging question in my mind as to why Johnson made these specific changes to the wording about the CFATS program; is there something in the works?

I am more concerned, however, with the deletion of §2202(e)(1)(M). I am not an active privacy advocate particularly when it comes to the Federal government; mainly because I suspect that we have completely surrendered any pretense of privacy protection and any attempts to put the genie back in the bottle are mainly for show rather than for any practical effect. Having said that, I am concerned that Johnson thought that it was appropriate to remove language from the bill that provided some modicum of privacy protection to information collected by DHS. It probably was not going to be very effective, but it at least made a show of being concerned.